Encrypt data at rest and in motion
In this we will learn about transparent Data Encryption (TDE) for dedicated SQL pool in Azure Synapse Analytics. And, also about how to encrypt data in rest and in motion.
Required Permissions
To enable Transparent Data Encryption (TDE), you must be an administrator or a member of the dbmanager role.
Enabling Encryption
To enable TDE, follow the steps below:
- Firstly, open the database in the Azure portal
- Secondly, in the database blade, click the Settings button
- Thirdly, select the Transparent data encryption option portal settings
- then, select the On setting
- Lastly, select Save
Disabling Encryption
To disable TDE, follow the steps below:
- Firstly, open the database in the Azure portal
- Secondly, in the database blade, click the Settings button
- Thirdly, select the Transparent data encryption option portal settings
- Then, select the Off setting portal
- Lastly, select Save
Information protection and encryption
Transport Layer Security (Encryption-in-transit)
SQL Database, SQL Managed Instance, and Azure Synapse Analytics secure customer data by encrypting data in motion with Transport Layer Security (TLS). However, it is recommended that in the connection string used by the application, you specify an encrypted connection and not trust the server certificate. This forces your application to verify the server certificate. Thus, it prevents your application from being vulnerable to man in the middle type attacks.
Transparent Data Encryption (Encryption-at-rest)
Transparent data encryption (TDE) for SQL Database, SQL Managed Instance, and Azure Synapse Analytics adds a layer of security to help protect data at rest from unauthorized or offline access to raw files or backups. However, common scenarios include data center theft or unsecured disposal of hardware or media such as disk drives and backup tapes. TDE encrypts the entire database using an AES encryption algorithm, which doesn’t require application developers to make any changes to existing applications.
Key management with Azure Key Vault
Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE) allows customers to take ownership of key management and rotation using Azure Key Vault, Azure’s cloud-based external key management system. However, if the database’s access to the key vault is revoked, a database cannot be decrypted and read into memory. Azure Key Vault provides a central key management platform, leverages tightly monitored hardware security modules (HSMs), and enables separation of duties between management of keys and data to help meet security compliance requirements.
Always Encrypted (Encryption-in-use)
Always Encrypted is a feature designed to protect sensitive data stored in specific database columns from access (for example, credit card numbers, national identification numbers, or data on a need to know basis). This includes database administrators or other privileged users who are authorized to access the database to perform management tasks, but have no business need to access the particular data in the encrypted columns. Moreover, the data is always encrypted. This means the encrypt data can decrypt only for processing by client applications with access to the encryption key.
Dynamic data masking
Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. Moreover, Dynamic data masking automatically discovers potentially sensitive data in Azure SQL Database and SQL Managed Instance and provides actionable recommendations to mask these fields, with minimal impact to the application layer. However, it works by obfuscating the sensitive data in the result set of a query over database fields, while there is no change in the data in the database.
Security management
Vulnerability assessment
Vulnerability assessment is an easy to configure service that can discover, track, and help remediate potential database vulnerabilities with the goal to proactively improve overall database security. However, VA is part of the Azure Defender for SQL offering. Further, this refers to a unified package for advanced SQL security capabilities.
Data discovery and classification
Data discovery and classification (currently in preview) provides advanced capabilities built into Azure SQL Database and SQL Managed Instance for discovering, classifying, labeling, and protecting the sensitive data in your databases. However, discovering and classifying your utmost sensitive data can play a pivotal role in your organizational Information protection stature. It can serve as infrastructure for:
- Firstly, various security scenarios, such as monitoring (auditing) and alerting on anomalous access to sensitive data.
- Secondly, controlling access to, and hardening the security of, databases containing highly sensitive data.
- Thirdly, helping meet data privacy standards and regulatory compliance requirements.
Reference: Microsoft Documentation, Documentation 2